From Dominik Reichl
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
* KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases.
* Both of these ciphers are regarded as very secure by the cryptography community. Banks are using these algorithms for example, too.
* Even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe.
* Even quantum computers won't help that much. The algorithms are symmetric so its complexity would be reduced a bit, anyway, the sun will go nova before you have decrypted the database.
* The complete database is encrypted, not only the password fields. So your usernames, notes, etc. are protected, too.
* SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
* In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
* Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.
* In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
* [2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key.
* Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass.
* Also see the security information page.
Key Multiple User Keys
* One master password decrypts the complete database.
* Alternatively you can use key files. Key files provide better security than master passwords in most cases. You only have to carry the key file with you, for example on a floppy disk, USB stick, or you can burn it onto a CD. Of course, you shouldn't lose this disk then.
* For even more security you can combine the above two methods: the database then requires the key file and the password in order to be unlocked. Even if you lose your key file, the database would remain secure.